Consul - Securizare acces

Postat la Mon 23 December 2019 in tutoriale, consul

Sunt cazuri cand Consul este necesar sa fie securizat.

Consul foloseste liste de acces (ACL) pentru securizarea accesului la API, consola si interfata de administrare, comunicarea serviciilor cat si a agentilor.

In principal un ACL grupeaza reguli de acees intr-o politica de acess (policy) pe cate apoi le asociaza unui token.

Intializarea ACL

Intializarea ACL se recomanda a se face la configurarea initiala a unui cluster pentru evitarea nefunctionarii cluster-ului pana la configurarea tuturor agentilor.

Creem urmatorul fisier in /etc/consul.d/acl.hcl:

# agent.hcl

acl = {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
}

unde politica implicita e deny iar token-uri create vor fi salvate pentru persistenta pe disc. Apoi restartam fiecare nod.

Nota: La un cluster functional putem folosi default_policy=allow pana la generarea token-urilor.

Generam token-ul initial (bootstrap token) ce permite access full.

# consul acl bootstrap
AccessorID:       21f5614b-2a32-6345-c703-aea8219e0f3a
SecretID:         7850a9cb-0bac-c4dc-099b-fb2173a199b7
Description:      Bootstrap Token (Global Management)
Local:            false
Create Time:      2019-12-16 17:56:44.79720835 +0000 UTC
Policies:
    00000000-0000-0000-0000-000000000001 - global-management

Acesta este SecretID de mai sus.

Pentru parcurgerea urmatorilor pasi in consola vom include token-ul in variabila CONSUL_HTTP_TOKEN:

export CONSUL_HTTP_TOKEN=7850a9cb-0bac-c4dc-099b-fb2173a199b7

Securizare agenti

Generarea si aplicarea toke-urikor pentru agenti se face in 3 pasi:

  • crearea politicilor de acces
  • generare unui token pentru politica creata
  • adaugarea token-ului in configuratia agentului.

Generam fisierul consul-server-policy.hcl pentru nodul consul-server ce permite dreptul includere in catalog, actualizare verificari de sanatate nod:

node "consul-server" {
    policy = "write"
}

Nota: Mai multe gasiti in documentatie legat de regulile aplicabile unui nod.

Importam regula in Consul sub numele consul-server:

# consul acl policy create -name consul-server -rules @consul-server-policy.hcl
ID:           8e3394aa-3226-57b5-3d0f-643c20b7f361
Name:         consul-server
Description:
Datacenters:
Rules:
node "consul-server" {
    policy = "write"
}

Generam token-ul aferent politicii adaugate:

# consul acl token create -description "consul-server agent token" -policy-name consul-server
AccessorID:       0ce578b9-689d-91c6-b1a5-42b482090cd5
SecretID:         1ae89bc3-a33e-238e-371f-fdd5c3e2577b
Description:      consul-server agent token
Local:            false
Create Time:      2019-12-16 18:04:38.864121035 +0000 UTC
Policies:
    8e3394aa-3226-57b5-3d0f-643c20b7f361 - consul-server

unde la fel SecretID etste token-ul generat.

Aplicam/asociem tokenul la agent din consola:

# consul acl set-agent-token agent "1ae89bc3-a33e-238e-371f-fdd5c3e2577b"
ACL token "agent" set successfully

ce va creea fisieul /var/consul/acl-tokens.json

Nota: Comanda se aplica atat timp cat politica implicita este allow.

Ori prin fisierul de configurare ACL anterior creat:

acl = {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
  tokens = {
    agent = "1ae89bc3-a33e-238e-371f-fdd5c3e2577b"
  }
}

Repetam acesti pasi pentru toti agentii incepand de la servere.

Securizare servicii

Pasi pentru servicii sunt similari ca pentru agenti. Creem un fisier cu reguli fe-service-policy.hcl

service "fe" {
  policy = "write"
}

Nota: Mai multe gasiti in documentatie legat de regulile aplicabile unui seviciu.

Importam regula in Consul:

# consul acl policy create -name fe-service-policy -rules @fe-service-policy.hcl
ID:           cf840487-efd7-cd5c-5cfa-b1a5d46bc4b7
Name:         fe-service-policy
Description:
Datacenters:
Rules:
service "fe" {
  policy = "write"
}

Generam tokenul (SecretID) aferent politicii:

# consul acl token create -description "fe service policy" -policy-name fe-service-policy
AccessorID:       8b4ce66b-acf8-e714-33cb-43b8388e68da
SecretID:         b63cd2c1-455a-534d-62a0-897cc63da5fc
Description:      fe service policy
Local:            false
Create Time:      2019-12-16 18:37:28.107741205 +0000 UTC
Policies:
    cf840487-efd7-cd5c-5cfa-b1a5d46bc4b7 - fe-service-policy

Si il includem fisierul de configurare aferent serviciului de pe agent:

{
  "service": {
    "name": "fe",
    "tags": [
      "web",
      "urlprefix-/ weight=0.1"
    ],
    "port": 80,
    "token": "b63cd2c1-455a-534d-62a0-897cc63da5fc",
    "check": {
      "id": "web-app",
      "name": "Web App Status",
      "http": "http://localhost/status.html",
      "interval": "10s"
    }
  }
}

Aplicam acest token pe toate nodurile unde ruleaza acest serviciu.

Repetam pasii pentru fiecare serviciu in parte.

Securizare servicii DNS

Daca folositi autodiscovery prin DNS, sunt nesare politici legate de noduri si servcii. Includem in dns-request-policy.hcl regulile:

node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "read"
}
# only needed if using prepared queries
query_prefix "" {
  policy = "read"
}

ce apoi sunt importate in consul:

# consul acl policy create -name dns-request-policy -rules @dns-request-policy.hcl
ID:           59e6e00f-9579-0b9a-28d3-786a0291328b
Name:         dns-request-policy
Description:
Datacenters:
Rules:
node_prefix "" {
  policy = "read"
}
service_prefix "" {
  policy = "read"
}
# only needed if using prepared queries
query_prefix "" {
  policy = "read"
}

si generam tokenul aferet:

# consul acl token create -description "Token for DNS Requests" -policy-name dns-requests-policy
AccessorID:       11765265-afaa-1cec-66b0-8461ae85434d
SecretID:         9cf9629e-fed6-cc39-b256-3d2c323e5e4d
Description:      Token for DNS Requests
Local:            false
Create Time:      2019-12-16 19:58:54.228487931 +0000 UTC
Policies:
  59e6e00f-9579-0b9a-28d3-786a0291328b - dns-request-policy

Acesta este token-ul default (implicit) pe care agentul il va folosi in comunicarea DNS

# consul acl set-agent-token default "9cf9629e-fed6-cc39-b256-3d2c323e5e4d"

Sau in fiserul de configurare:

acl = {
  enabled = true
  default_policy = "deny"
  enable_token_persistence = true
  tokens = {
    agent = "0cfea3db-fb26-f2f9-12c7-5dbb25446e72"
    default = "9cf9629e-fed6-cc39-b256-3d2c323e5e4d"
  }
}

Si restart serviciul consul

Verificam functionarea serviciulu DNS:

# dig @127.0.0.1 -p 8600 fe.service.consul

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> fe.service.consul
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fe.service.consul.             IN      A

;; ANSWER SECTION:
fe.service.consul.      0       IN      A       10.209.214.169

;; ADDITIONAL SECTION:
fe.service.consul.      0       IN      TXT     "consul-network-segment="

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 16 20:45:44 UTC 2019
;; MSG SIZE  rcvd: 98